Paternity and drug test details leak online in privacy breach

Asher Moses

Update 2:45pm: Medvet says it has now removed all private order information from Google's cached search results. Medvet has clarified that it first became aware of the issue on Friday, not in April as some reports have claimed.

Australians who bought drug and paternity tests from one of the country's largest providers are dealing with a serious privacy scare after details of their orders were found to be available online.

An example of one of the paternity test orders that were available online.

Medvet, owned by the South Australian government, appears to have failed to lock down its online order system and prevent it from being crawled by Google. Hundreds of orders of tests from people all over Australia can be found by searching Google for a specific term, which Fairfax Media has chosen not to publish.

The privacy breach was revealed over the weekend and, while the orders have been pulled from Medvet's site, all were still accessible through Google's cache as at noon today. The invoices detail specifics on the type of paternity test ordered or the specific drug that the person is being screened for.

The company's managing director Greg Johansen said in a phone interview this afternoon: "We've got a forensic computer person working through and removing them [Google's cache results] now."

The Privacy Commissioner, Timothy Pilgrim, has begun an investigation into the matter including claims Medvet knew about the privacy breach since April. South Australia Health said it would send in external auditors to examine Medvet's systems.

Advertisement

Medvet, which claims it prioritises customer privacy and confidentiality, has not yet contacted customers whose order details were revealed, saying it will do this once an internal investigation has been completed. It claims only paternity and drug test order details and customer addresses were revealed, not test results and names.

Asked why the personal information remained online, a Google Australia spokeswoman said the search giant would only remove something from its search engine if it is specifically asked to. There are various tools Google provides to website owners allowing them to prevent certain pages from being crawled by the search engine.

Nigel Phair, a former AFP officer who now works as a private security consultant, said the Medvet breach was "yet another example" of why Australia needs laws forcing companies to reveal when they have been hit with a privacy breach.

"The Medvet messaging has been quite slow and they appeared unconcerned with the matter," he said.

"This is an example of the organisation's directors not being fully cognisant with their responsibilities to inform the market of such issues which impact on the functioning of their organisation."

Mr Phair said Medvet should have proactively involved the Privacy Commission and SA Police and informed affected customers and clients. "Merely saying they are undertaking an audit is not a strong enough response," he said.

Medvet managing director Greg Johansen said in a statement the company "deeply regrets that its its web store security has been compromised".

Despite the use of the term "compromised" Medvet has yet to provide evidence that there was an attack on its systems.

Rob McAdam, chief executive of computer security firm Pure Hacking, said that until a proper investigation was completed "it's not possible to ascertain whether their site was maliciously targeted or if security controls simply did not prevent Google from indexing the sensitive information".

Mr McAdam said Medvet should be working with Google to have cached copies of the private data removed as soon as possible and this should be followed up immediately by a review of the company's website security to ensure the appropriate controls were in place to prevent similar incidents from occurring in future.

Mr Johansen said some clients' delivery addresses and product order details had become available on the internet but he stressed that no client names, bank account details or results of any tests had been disclosed.

"On becoming aware of this Medvet Laboratories immediately closed the web store and we have initiated the necessary steps to have the information removed from the internet," he said.

"The Medvet Laboratories board has instructed that an independent investigation is undertaken immediately into how this has occurred, who is affected and what can be done to address it. Once we have all the facts we will contact the clients whose details have been published to the internet."

The Australian reported that Medvet was aware of the privacy breach since April but had failed to rectify it. Medvet has yet to confirm or deny this.

SA Health said it only became aware of this matter on Saturday and stressed that, while Medvet was owned by the South Australian government, the company operated as an independent board. Further, SA Health's IT systems were separate and had not been compromised.

David Swan, chief executive of SA Health, said Medvet had agreed in its forensic review to quantify what information had been accessed and by whom, assess software systems for security, advise on when Medvet staff were made aware of the matter and "provide advice on the matter that allegedly occurred in April of this year and what risk mitigaiton has occurred since".